New York Federal District Court Strikes Down Application of the Computer Fraud and Abuse Act to ISP Throttling Case

As Internet traffic has exploded in the last decade, Internet Service Providers (ISP) – the companies who build and profit from providing the requisite infrastructure – have had to strategically maintain their networks to satisfy demand under increasingly tightening technological constraints. One way ISPs do this is by employing a practice called “throttling,” or limiting heavy users’ access to Internet servers to free up bandwidth for others. When one subscriber to an ISP’s service makes heavy demands to the network, such as downloading large amounts of videos, other users in the area suffer from decreased speed; throttling is one way of preventing this sort of problem. ISPs typically reserve their right to throttle in their terms and of service with customers.

While ISPs argue that throttling is a necessary practice, others argue that it amounts to the arbitrary limiting of access to a vital communications tool by a corporate entity and constitutes a dangerous overreach of power. Left without regulatory recourse, net neutrality advocates – or those opposed to the practice of throttling – have turned towards the application of other laws in their battle against ISP throttling.

In Serrano v. Cablevision Systems Corp., No. 09-CV-1056 (DLI) (MDG), a class action suit filed in the United States District Court for the Eastern District of New York, Plaintiffs Alyce Serrano and Andrea Londono alleged violations of the Computer Fraud and Abuse Act (CFAA) as well as various state law claims in relation to ISP throttling. According to their complaint, ISP Cablevision “wrongfully limited Plaintiffs’ use of certain peer-to-peer (“P2P”) applications without authorization, and thereby caused damage to Plaintiffs’ computers.” Specifically, Plaintiffs cited 18 U.S.C. § 1030(a)(5)(A)-(C), a section of the CFAA related to damages caused by “the transmission of a program, information, code, or command…without authorization” or “intentionally access[ing] a protected computer without authorization.”

The first key to successfully arguing a violation of the CFAA is proving that any access or action to a protected computer system was done “without authorization.” To Cablevision’s credit, Serrano and Londono both signed “Terms of Service” and “Acceptable Use Policy” documents at the time of their service installation and after subsequent work orders. These documents included provisions for Cablevision to reserve “the right to protect the integrity of its network and resources by any means it deems appropriate. This includes but is not limited to…putting limits on bandwidth.” The agreements also allow them to do so “without prior notification.”

The Court found that Plaintiffs’ claims arising under the CFAA were "defeated by the clear language of the Terms of Service and the Acceptable Use Policy." The Court found that based on Plaintiffs’ assent to these valid and enforceable provisions, "Plaintiffs cannot now claim that Cablevision acted ‘without authorization’ when it re-stricted their bandwidth."

Although Serrano and Londono argued that these contracts were vague and ambiguous and should not be considered valid, the Honorable Judge Dora L. Irizarry ruled that they were in fact proper and could be dutifully enforced. Judge Irizarry cited New York law related to agreements made over the internet, or so-called “click-wrap” contracts, in ruling them valid “as long as the consumer is given a sufficient opportunity to read the…agreement, and assents thereto after being provided with an unambiguous method of accepting or declining the offer.” As all such requirements were met in Cablevision’s case, Judge Irizarry ruled that the contracts, and therefore Cablevision’s right to authorized access of Plaintiffs protected computer systems for the purposes of throttling, were in fact legal and granted Cablevision’s motion for summary judgment.

For all of its wide-ranging applicability to legal matters in the digital space, the CFAA does not appear to be of much use in preventing ISP throttling. Arguing that an ISP does not have authorized access to regulate its own networks may be nearly impossible to assert given their financial right to the infrastructure as well as their responsibility to protect its functionality for all users. Coupled with the robust Terms of Service and Acceptable Use Policies likely employed industry wide, ISPs are not likely to be vulnerable to this type of CFAA claim.

It will be interesting to see how the issue of ISP throttling is addressed in future cases and possible legislation. ISPs argue that if they are not allowed to throttle heavy users, all users will eventually suffer from a decrease in Internet speed. As more Internet users trend towards heavy use, the problems may become more pronounced over time. With ISPs struggling to build out next generation networks to handle increased usage, costs could be passed on to consumers in new forms, including multi-tier pricing systems based on bandwidth usage similar to those being introduced by cellular data carriers. While the vast majority of Americans may never be subject to bandwidth throttling, the latitude ISPs are given in establishing this practice will set the stage for how ISPs are able to regulate the networks of tomorrow.